On Jan 30, 2008, at 4:33 PM, Justin Shore wrote:
I'm sure all of us have parts of the Internet that we block for one reason or another. I have existing methods for null routing traffic from annoying hosts and subnets on our border routers today (I'm still working on a network blackhole). However I've never tackled the problem by targeting a bad guy's ASN. What's the best option for null routing traffic by ASN? I could always add another deny statement in my inbound eBGP route-maps to match a new as-path ACL for _BAD-ASN_ to keep from accepting their routes to begin with. Are there any other good tricks that I can employ?
I have another question along those same lines. Once I do have my blackhole up and running I can easily funnel hosts or subnets into the blackhole. What about funneling all routes to a particular ASN into the blackhole? Are there any useful tricks here?
I'd recommend you exercise extreme caution with any such policy. Specifically, if the origin[?] AS that you're wanting to drop all traffic from gets wind of such a policy, they could easily announce other prefixes that result in your dropping that traffic, introducing a more effective DoS vector. Other ASes could easily spoof an origin AS and trigger such a policy application as well. You should probably do this explicitly based on prefix and null route from some centralized route server w/uRPF and not as a matter of automated policy based on a given AS Path set. If you're simply worried about destination reachability to prefixes provided by those ASes in question, then you could employ a BGP filter on ingress dropping prefixes with those ASes in the path -- although I think your query was more concerned with ingress traffic from those ASes, not egressing destined to those networks. Finally, as Ferg said, networks of that sort seem to find a need to diversify their connectivity periodically -- all the more reason to avoid such policies. -danny